SUNY Downstate Medical Center
HIPAA - Health Insurance Portability and Accountability Act
HIPAA Privacy Auditing & Monitoring Program
By the Office of Compliance & Audit Services
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates all covered entities to establish policies and procedures to ensure the confidentiality of protected health information (PHI). DMC's comprehensive audit program was designed as an ongoing internal HIPAA compliance monitoring program and will ensure that the privacy policies and procedures are being followed correctly, that appropriate safeguards are in place and that the privacy of PHI is being maintained in accordance with the mandated standards.
II. Audit Activities
A. Physical Rounds- Physical rounds will be conducted that will incorporate a privacy assessment of physical safeguards for electronic, paper and oral PHI. During each round, the Privacy Assessment form will be completed. Any deviances from the required safeguard will be documented and reported to the appropriate administrator for further evaluation and follow up. The following elements will be reviewed during these rounds:
- Electronic Information
- Monitors facing the public;
- Systems left open on screens when not in use;
- Passwords & ID's visible to the public.
- Paper Information
- Patient information left unattended;
- Rooms or cabinets containing patient charts are not locked or supervised;
- Boards containing diagnostic information are visible to the public;
- Fax machines are located in non-secure areas;
- Patient information discarded in regular trash cans;
- Shredders not present or not functioning.
- Verbal Information
- Patient information discussed in public.
B. SYSTEM- GENERATED REPORTS
- Notice of Privacy (NOP)- Reports will be generated on a daily basis to ensure that
all patients that are seen received a Notice of Privacy upon admission or registration.
Follow up will be conducted of non-compliant areas to ensure appropriate NOP distribution.
The following circumstances will also be reviewed:
- Patients who were admitted/ registered in an emergent situation received a NOP after the emergency treatment was over;
- Patients who were pre-registered received a NOP during their actual visit/ admission;
- Patients whose records were accessed on Eagle for a lookup basis only had the NOP field updated when the patient came in for a visit or admission.
- Patient Rights- Reports will be generated of the following Eagle fields to ensure
that a patient's request for a privacy right was granted appropriately:
- Opting out of the facility directory;
- Specifying an individual to involve in the patient's care;
- Specifying an alternate communication.
- HIPAA Training- Periodic reports will be run from the HCCS online training database
of the following categories of individuals to ensure appropriate workforce training:
- Existing employees
- Residents & Housestaff
- New employees
C. Manual Review- In order to ensure that all of the HIPAA privacy policies and procedures are being followed correctly, a manual audit will be performed on several standards:
- Authorization Validity- A sampling of authorizations will be reviewed on a periodic basis to ensure that all required elements were incorporated on the form before any PHI was released.
- Minimum Necessary- Individual departmental policies and procedures will be reviewed to ensure adherence to the minimum necessary standard.
- Accounting of Disclosures- Departmental logs will be reviewed to ensure that all disclosures of PHI are documented in accordance with the Accounting of Disclosures requirements.
A. Deficiency Reports- Individual department deficiency reports identifying the findings and recommendations for corrective action plans will be documented and distributed to the respective departments. These reports will be based upon the following:
- Physical rounds
- System generated reports
- Manual review
B. Complaints- All patient privacy complaints will be documented, as well as the associated follow up, outcome and any disciplinary referrals. Complaints will be reviewed to determine trends, to identify types of complaints and any identified need for focused training.
C. Incidents- All reported incidents regarding a breach in patient confidentiality will be documented, as well as the associated follow up, outcome and any disciplinary referrals. Incidents will be reviewed to determine the root cause analysis of the event and any necessary modification to current processes.
D. Quarterly Summaries- Quarterly summaries reporting the program monitoring results and analysis will be submitted to the Compliance & Audit Oversight Committee of the following:
- Deficiency Reports
- Complaint Statistics
- Incident Statistics
- Employee Delinquent Training Summary
This HIPAA Privacy Auditing & Monitoring Program will be reviewed on an annual basis to ensure it is complete and up-to-date. Revisions to current policies and processes may result in a modification to this program.
Corrective action plans developed as a result of this program's ongoing monitoring will be consistently enforced. Additionally, the OCAS will provide focused training, as needed, to ensure adherence to this program.